On Wed, 21 Dec 2022 20:11:44 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:
>> Volker Simonis has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> Optimized initialisation of currentKeyID and deletion of expired session
>> keys as proposed by @schlosna
>
> src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java line
> 182:
>
>> 180:
>> 181: // Package-private, used only from SSLContextImpl::engineInit() to
>> initialie currentKeyID.
>> 182: void initCurrentKeyID(int keyID) {
>
> The ID will work as if it is unique in the context, granted with
> synchronization. It may be not necessary to use secure number for it. The
> ID could be assigned at constructor (see comment above, use number zero or
> the current time, etc.), and thus this method and the caller code could be
> removed, I think.
I'm not an expert in this area, but [RFC 5077
reccomends](https://www.rfc-editor.org/rfc/rfc5077#page-10) that the ID
"*should be randomly generated to avoid collisions between servers*". What
about initializing it to the `hashCode()` of the `SSLSessionContextImpl` object?
-------------
PR: https://git.openjdk.org/jdk/pull/11590
